# See /usr/share/postfix/main.cf.dist for a commented, more complete version

# Debian specific:  Specifying a file name will cause the first
# line of that file to be used as the name.  The Debian default
# is /etc/mailname.
#myorigin = /etc/mailname
myhostname = ketrenos.com
#myhostname = static-50-126-85-202.cor02.bvtn.or.ptr.ziplyfiber.com
#myhostname = mail.ketrenos.com

# Logging
maillog_file = /var/log/postfix.log

smtpd_banner = $myhostname ESMTP $mail_name

# Enable unverified_sender_verify
# 2022-05-26
unverified_sender_defer_code = 250

biff = no
# 2020-09-16 set max size to 50M as more and more
# messages are exceeding 32M
#
# 2021-05-16 set max size to 200M (2^28) as we are seeing Infuccient
# system storage bounces.
message_size_limit = 0

# appending .domain is the MUA's job.
append_dot_mydomain = no

# Uncomment the next line to generate "delayed mail" warnings
#delay_warning_time = 4h

readme_directory = no

#debug_peer_list = 127.0.0.1

# NOTE:
# `smtpd` prefix is for receiving connections. `smtp` is for outbound
# connections

# TLS parameters
#smtpd_use_tls = yes
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/letsencrypt/live/mail.ketrenos.com/fullchain.pem
smtpd_tls_key_file = /etc/letsencrypt/live/mail.ketrenos.com/privkey.pem

# Trying to fix insufficient space
smtpd_proxy_timeout = 240s

smtpd_tls_received_header = yes
smtpd_tls_ask_ccert = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
smtp_tls_note_starttls_offer = yes

#Disable Poodle
smtp_tls_security_level = may
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtp_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_security_level = may
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3

# Force TLS for outgoing server connection
smtp_tls_policy_maps = hash:/etc/postfix/tls_policy
smtp_tls_CApath = /etc/ssl/certs/
smtpd_tls_CApath = /etc/ssl/certs/
smtp_tls_CAfile = /etc/ssl/certs/ca-certificates.crt
smtpd_tls_CAfile = /etc/ssl/certs/ca-certificates.crt

# Changes to SSL Ciphers
tls_preempt_cipherlist = yes
smtpd_tls_mandatory_ciphers = high

# If this is used, facebook stops being able to deliver to us :(
#tls_high_cipherlist = ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA256:ADH-AES256-GCM-SHA384:ADH-AES256-SHA256:ECDH-RSA-AES256-GCM-SHA384:ECDH-ECDSA-AES256-GCM-SHA384:ECDH-RSA-AES256-SHA384:ECDH-ECDSA-AES256-SHA384:AES256-GCM-SHA384:AES256-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-DSS-AES128-SHA256:ADH-AES128-GCM-SHA256:ADH-AES128-SHA256:ECDH-RSA-AES128-GCM-SHA256:ECDH-ECDSA-AES128-GCM-SHA256:ECDH-RSA-AES128-SHA256:ECDH-ECDSA-AES128-SHA256:AES128-GCM-SHA256:AES128-SHA256:NULL-SHA256

#smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
#smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache

# See /usr/share/doc/postfix/TLS_README.gz in the postfix-doc package for
# information on enabling SSL in the smtp client.

alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases

# Support multiple recipient delimers (_ and +)
canonical_maps = regexp:/etc/postfix/canonical
recipient_delimiter = _
# Example /etc/postfix/canonical:
# /^([^@]+)\+(.*)@ketrenos\.com$/ ${1}_${2}@ketrenos.com
# sudo postmap /etc/postfix/canonical
# sudo systemctl restart postfix

# Mailman3 support (via ketrenet-mailman-core)
unknown_local_recipient_reject_code = 550
owner_request_special = no
transport_maps =
    hash:/opt/mailman/postfix_lmtp
local_recipient_maps =
    hash:/opt/mailman/postfix_lmtp
relay_domains =
    hash:/opt/mailman/postfix_domains

myorigin = /etc/mailname
mydestination = ketrenos.com, kiaoramassage.com, sketchitect.com, localhost, email.ketrenos.net, ketrenos.net
relayhost =
mailbox_size_limit = 0
inet_interfaces = all
inet_protocols = ipv4
home_mailbox = Maildir/
smtpd_sasl_auth_enable = yes
smtpd_sasl_type = dovecot
smtpd_sasl_path = private/auth_client
smtpd_sasl_authenticated_header = yes
smtpd_sasl_security_options = noanonymous
smtpd_sasl_tls_security_options = noanonymous
smtp_sasl_security_options = noanonymous
smtp_sasl_tls_security_options = noanonymous
smtpd_sasl_local_domain = 
smtpd_helo_required = yes
broken_sasl_auth_clients = yes

mynetworks = 127.0.0.0/8 192.168.0.0/16

mailbox_command = /usr/lib/dovecot/deliver -c /etc/dovecot/dovecot.conf -m "${EXTENSION}" -a "${RECIPIENT}"
tls_random_source = dev:/dev/urandom
content_filter = smtp-amavis:[127.0.0.1]:10024
relay_domains = ketrenos.com, email.ketrenos.net, webserver.ketrenos.net
#transport_maps = hash:/etc/postfix/transport
mailman_destination_recipient_limit = 1

# smtpd_client_restrictions =
#  permit_mynetworks 
#  reject_plaintext_session

smtpd_recipient_restrictions =
  permit_mynetworks
  check_recipient_access hash:/etc/postfix/recipient_restrictions
  permit_sasl_authenticated
  reject_unauth_destination
  reject_rbl_client
  zen.spamhaus.org=127.0.0.[2..11],
  check_sender_access hash:/etc/postfix/sender_checks
  check_policy_service unix:private/policy-spf
  reject_unknown_sender_domain 
  warn_if_reject reject_unverified_sender 

smtpd_sender_restrictions =
  permit_mynetworks
  reject_unknown_sender_domain

# Added check_sender_access to block all spoofed root@ketrenos.com email sends
smtpd_relay_restrictions =
  permit_mynetworks
  check_sender_access hash:/etc/postfix/sender_restrictions
  check_recipient_access hash:/etc/postfix/recipient_restrictions
  permit_sasl_authenticated
  reject_unauth_destination
milter_connect_macros = i b j _ {daemon_name} {if_name} {client_addr}
# https://www.digitalocean.com/community/tutorials/how-to-install-and-configure-dkim-with-postfix-on-debian-wheezy
milter_protocol = 2
milter_default_action = accept
smtpd_milters = unix:milter-greylist/milter-greylist.sock, local:opendkim/opendkim.sock 
#smtpd_milters = unix:/milter-greylist/milter-greylist.sock
non_smtpd_milters = $smtpd_milters milter_default_action = accept
smtpd_use_tls = yes
smtp_use_tls = no
policy-spf_time_limit = 3600s
compatibility_level = 3.6